CloudBees refocuses with IT compliance automation buy
CloudBees previews the fruits of a quietly acquired stealth IT compliance automation startup and modifies its platform plans under new executive leadership.
CloudBees unveiled the latest component of its DevOps platform strategy this week: a low-code IT compliance automation tool developed by a stealth startup it acquired this month.
The tool, CloudBees Compliance, has not been released to general availability, but vendor executives, including a new chief information security officer (CISO) and CTO, demonstrated the product during this week's virtual DevOps World conference. It's expected to ship in the first quarter of 2022.
The tool is based on IP acquired in early September from UK-based Neuralprints. It adds a low-code interface to the open source Open Policy Agent, which automatically translates IT compliance rules into OPA's Rego programming language for security and compliance policy enforcement within IT infrastructure via CloudBees CI/CD pipelines.
OPA has risen to prominence in the Cloud Native Computing Foundation (CNCF) community over the last two years, but some users find Rego difficult to use, and adding OPA programming to developers' workloads can slow down application delivery.
"[CloudBees Compliance] converts [compliance and security] rules into code, without the people who do that for a living needing to learn to code," said Prakash Sethuraman, who served on Neuralprints' board of directors and joined CloudBees as CISO from HSBC in June. "The slowest way to achieve continuous compliance is to ask all the security and compliance people to start writing down requirements and have developers convert it into code -- that would be a three-year program in its own right ... at scale."
CloudBees Compliance requires some technical knowledge about IT infrastructure, such as the names of security groups and network ports. IT security and compliance teams must plug these specific environment variables into CloudBees Compliance, but the tool then does the rest of the Rego code generation required to enforce such rules throughout the IT infrastructure. It also offers prebuilt versions of common IT compliance and security rules, such as locking down security groups within AWS by default.
CloudBees Compliance is in beta now with customer design partners, which company officials declined to name. One CloudBees customer, Fidelity Investments, plans to consider the product once it becomes available.
Gerard McMahon
Asking developers to create policy as code introduces too much friction into the development process, said Gerard McMahon, head of application lifecycle management (ALM) tools and platforms at the Boston-based financial services company. Ideally, he'd like to find ways to decrease that friction.
"The more we can automate behind the scenes, the better," he said. "If a platform behind the scenes is doing that on behalf of the developers, that's a good thing."
SDM strategy becomes CloudBees Platform
This isn't the first platform strategy from CloudBees. A year ago, then-CEO Sacha Labourey previewed a software delivery management (SDM) product, originally due out by the end of 2020. It was a SaaS-only framework that would include plugin modules such as Feature Management for feature flag management and Engineering Efficiency for DevOps monitoring and metrics. SDM was also meant to give enterprises a centralized view into DevOps workflows; Labourey, now CloudBees chief strategy officer, described SDM as distinct from its Software Delivery Automation tools, including its Jenkins-based CI/CD tools.
This year, new CloudBees execs, including Labourey's successor as CEO, Stephen DeWitt, said they're still planning to deliver a unified interface for CloudBees products but under a different name -- the CloudBees Platform. The Feature Management and Engineering Management modules did ship in December 2020; Feature Management was updated with UI-level integration into CloudBees CI/CD tools this week. Engineering Efficiency has become CloudBees Analytics. CloudBees also offers Enterprise Release Orchestration, which includes value stream management features and reporting on DevOps Research and Assessment metrics.
CloudBees officials downplayed the changes this week, saying they amount to a set of branding and name updates. But there are other differences between the description Labourey provided of SDM and new execs' stated plans for CloudBees Platform. For example, SDM was meant to be SaaS-only, but CloudBees Platform will also support self-managed cloud and on-premises deployments by users, CloudBees officials said this week.
Industry analysts see more than a name change here, too. However, they also said CloudBees Platform looks like a better bet for the vendor in its efforts to appeal to large enterprises.
Michael Delzer
"The end users that I communicate with said they didn't want a separate SKU and they didn't want a separate UI," said Michael Delzer, an analyst at GigaOm, of CloudBees SDM. "They wanted a more continuous experience. So, what was supposed to be a separate product is now just a different persona of user experience."
Dinesh Keswani, also a member of Neuralprints' board of directors and previously CTO at HSBC, was named CTO of CloudBees this month. He alluded to this UX consolidation plan during a DevOps World press and analyst briefing this week.
"SDM did exist as a roadmap and a strong vision that hasn't gone away," he said. "What I'm trying to do is simplify how a developer looks at products and services as a platform, and you need an interface to the platform. ... As long as [they] have a unified interface, [they] can accomplish the tasks [they] need without leaving that platform or the interface."
CloudBees Compliance also has the potential to be a stronger sell than value stream management or feature management, Fidelity's McMahon said, given how hot a topic DevOps security, or DevSecOps, has become.
"Security and compliance have become the No. 1 priority in CI/CD," he said. "Some of the public hacks that happened during the last 12 months have demonstrated that there's definitely a need in the industry to be much more aware of the risk there."
Enterprise IT faces DevOps platform glut
CloudBees is far from the only vendor that recently started broadening its product line into an "end-to-end" DevOps platform. Competitors with platform strategies range from erstwhile binary artifact specialist JFrog to Microsoft, which can offer everything from GitHub code repositories and Azure DevOps workflows to the Azure cloud infrastructure itself. Other DevOps-associated companies such as Progress Chef and Puppet are also branching out into IT compliance automation and DevOps automation platforms.
The slowest way to achieve continuous compliance is to ask all the security and compliance people to start writing down requirements and have developers convert it into code.
Prakash SethuramanCISO, CloudBees
Analysts said users want to consolidate the number of vendors they have to deal with, but how they will decide which vendors to keep remains an open question.
"There are a lot of competitors, but the market is still ripe for the taking," said Jim Mercer, an analyst at IDC. "Enterprises have begun to adopt DevOps, but they're still not really scaled out. They want to [reduce] the [number of] tools they use, but developers can be fussy."
CloudBees' strength remains the size of the Jenkins user base -- some 60% of the install base for enterprise CI/CD, according to GigaOm's Delzer. Large enterprises will also require technical support from a vendor, which CloudBees can spin into revenue. The fact that Jenkins has been established for years also means it has a mature ecosystem of add-ons and vendor integrations, which CloudBees curates for enterprise customers.
Enterprises can move to a different CI/CD toolchain, such as GitLab's or Microsoft's, but that can be an arduous process, and is unlikely to happen wholesale.
"With the size and scale of Fidelity, one vendor can't supply everything," McMahon said.
Teams with greenfield apps may choose a newer CI/CD tool from a cloud provider such as AWS or from the CNCF community such as ArgoCD for GitOps, but those newer tools can't necessarily accommodate as broad a spectrum of apps as Jenkins, McMahon said.
"If you get into any level of complexity, [newer specialized tools] actually break down very quickly," he said. "Then you have to use something like Jenkins to fill the gaps."
CloudBees has also pledged its platform will integrate with third-party vendors, including IT compliance automation and security monitoring partners, to preserve flexibility for users working with multiple vendors and platforms.
Now the challenge for CloudBees -- after years of acquisitions, executive changes and roadmap updates -- is execution, IDC's Mercer said.
"They do have the benefit of being an early mover in CI/CD; they have a brand and possession of a large part of the market," he said. "If CloudBees Compliance comes out in January or February, we'll see how it plays out -- if not, patience will start to run thin. They only get so many swings at the plate."
Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.
Gerard McMahon
Michael Delzer
